DOWNLOAD THE CODE:
Download the Code 38283.zip

You use /domainprep to update AD objects and security (e.g., access control entries—ACEs) for each domain. You must run /domainprep from the console of the infrastructure master DC in every domain. The /domainprep switch is much faster and generates a lot less output than /forestprep. If all goes well, the only feedback you receive is Adprep successfully updated the domain-wide information.

Adprep is located in the \i386 directory on the Windows 2003 CD-ROM; it isn't installed by default into the %windir% folder as are the other command-line tools in this article. To successfully run Adprep /forestprep you must

  • be logged on to the console of the schema master DC
  • have installed at least Win2K Service Pack 2 (SP2—SP3 is highly recommended) on all your DCs
  • be a member of both the Enterprise Admins and Schema Admins groups

To run Adprep /domainprep, you must

  • be logged on to the domain's infrastructure master DC
  • be a member of the Enterprise Admins or the local Domain Admins group

You can find many more details about the crucial process of preparing your Win2K forest for Windows 2003 in "Preparing for Upgrades in a Domain Containing Windows 2000 Domain Controllers," Section 4.1 in \docs\xxxsrv1.txt (where xxx is the product SKU number) on the Windows 2003 CD-ROM.

You must successfully complete both Adprep procedures before you can begin your DC upgrades. Although you won't run Adprep nearly as much as the other command-line utilities, it's more important than any of them.

The Dsadd Utility
The Dsadd utility adds to AD the most common types of objects: users, computers, groups (security or distribution), OUs, and even contacts. You can specify many common attributes to add with the object, but the command doesn't support all possible objects.

To add an OU to BigTex.net, type

dsadd ou OU=roughnecks,
  DC=bigtex,DC=net
  -desc "Oilfield Roughnecks"

all on one line. To add a group in the new OU, type

dsadd group CN=goodolboys,
  OU=roughnecks,DC=bigtex,
  DC=net -secgrp yes

At the same time you create the group, you can add members to it by using the -members option and nest it in other groups by using the -memberof option. To add a user named Jim Bob to the new group, type

dsadd user "CN=James Robert,
  CN=Users,DC=bigtex,DC=net"
  -samid JIMBOB
  -upn jimbob@bigtex.net
  -fn James -ln Robert
  -empid 123456 -pwd n0tsecure!
  -mustchpwd yes
  -memberof CN=goodolboys,
  OU=roughnecks,DC=bigtex,DC=net

Note that I've specified a password so that I can add multiple users without pausing at each one to enter a password. However, because I've set the -mustchpwd parameter to yes, users must change their password on first logon.

The Dsquery Utility
You can use two new command-line utilities to retrieve information about eight Windows 2003 AD objects: sites, subnets, servers, computers, OUs, groups, users, and contacts. Dsquery is meant for broader searches and supports the asterisk character (*) as a wildcard to search for all objects that match specific criteria. Dsget is more specific; you use it to view the properties of a specific object in the directory.

Figure 2 shows Dsquery's syntax with the most common parameters and their possible values. For Dsquery's first parameter you can specify a starting node for the search; forestroot, to use the GC; or domainroot (the default), to start at the root of the domain to which you're connected. The -scope parameter defines how deeply you want to search: subtree (the default) searches subtrees under the starting node, onelevel doesn't search any subtrees, and base searches only the object you specified in StartNode. The -filter parameter lets you specify a Lightweight Directory Access Protocol (LDAP) query filter if you want to retrieve only a specific object or attribute. An example of a valid search filter is (&(objectCategory=Person)(sn=smith*)). The -attr parameter returns only the attributes specified in AttributeList; and the -attrsonly parameter displays only the attributes that are present, not their values. The -l parameter returns the results in list format instead of the default table format.

For example, if you have an extensive AD implementation with many subnets, you could use the following Dsquery command to search for a specific subnet without digging through all the subnet definitions in the MMC Active Directory Sites and Services console:

dsquery * cn=subnets,cn=sites,
  cn=configuration,dc=bigtex,
  dc=net -scope subtree

Dsquery would return the results that Figure 3 shows.

The Dsget Utility
You can use the Dsget utility to display certain properties of AD objects. Like all the other AD-related command-line utilities, you select the object you want to display by DN. Figure 4 shows the general syntax of Dsget. DN is the DN of the object you're searching for, and AttributeOptions lists which of up to 33 attributes (e.g., -empid, -office) you want to display. The number of available attributes depends on the kind of object you're searching for.

For example, to check a user account to see whether the password was set to never expire (a setting that usually requires a security waiver), you could type

dsget user "cn=James Robert,
  OU=roughnecks,DC=bigtex,
  DC=net" -pwdneverexpires

and receive the following result:

pwdneverexpires
     yes
dsget succeeded
Prev. page     1 [2] 3 4     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

I liked the article and the utilities and tried some of the examples. But nowhere can I find any reference to error messages I might receive, especially with DSADD.

For instance: adding an ou as in your first example of the DSADD utility, dsadd failed, A referrel was returned from the server.

What does this mean? I certainly don't know.

Brian- April 11, 2004

Hallo, I'd like to help Brain. This error appers when ds-commands syntax is incorrect. In this case 1) check DN of your query or 2) try to add quotes to DN. Hope this helps.

Eugene Sarazhinsky- June 18, 2004

I'd like to add users with the DN to be LastName, First. I can't seem to get this work? Also, any way to automatically create the e-mail account at the same time?

MikeWachholz- August 12, 2004

Article Rating 3 out of 5

it's the best page really a boon for me in this hard time thanks to writer

Anonymous User- November 30, 2004

Try Changing CN=users In The DSADD Command To OU=users. That Should Fix The Problem With The Command Returning An Error, Change "users" To Whatever OU You Want To Place The Newly Created User In.

-Schauste

Anonymous User- December 03, 2004

Lets say I have an OU called Admin. Within that OU I created 2 more OU's called users and computers. How would I map to a user in the OU=Admin the user is inside the OU=sales.

Ican get everything to work through just having an Admin OU, but for administration purposes I have added a further 2 OU's within an OU.

How would i use say the dsadd command to put a user in an OU within an OU????

Anonymous User- December 15, 2004

I thought command line utilities were only for Novell and Unix Administrators, and the big advantage to the Windows GUI was you didn't need command line utilities. How about some real integrated tools that do the job of batching and scripting for use, like ZenWorks.

wglabais- January 18, 2005

Article Rating 3 out of 5

With the 2 OUs (Nested), the syntax is to list the lowest OU 1st. i.e in the case of Sales inside Admin, type

DSADD computer "<pcname>,OU=Sales,OU=Admin,cn=<DomainName>,cn=<DomainSuffix>"

Hope this helps. Steve B

Anonymous User- February 27, 2005

Something I was taught on a course recently; "Read it Right to Left"

Pete

Anonymous User- March 13, 2005

Article Rating 4 out of 5

i would like to know when two user use of NAT

how nat underestand the packet that recived,belong to which user?

Anonymous User- June 02, 2005

Article Rating 3 out of 5

good sit

hamedjafari- July 25, 2008

Article Rating 3 out of 5